ReDoS: Spelling nfautils

java/ql/lib/semmle/code/java/security/regexp/NfaUtils.qll

@@ -59,8 +59,8 @@ predicate matchesEpsilon(RegExpTerm t) {
 /**
  * A lookahead/lookbehind that matches the empty string.
  */
-class EmptyPositiveSubPatttern extends RegExpSubPattern {
-  EmptyPositiveSubPatttern() {
+class EmptyPositiveSubPattern extends RegExpSubPattern {
+  EmptyPositiveSubPattern() {
     (
       this instanceof RegExpPositiveLookahead
       or
@@ -70,6 +70,9 @@ class EmptyPositiveSubPatttern extends RegExpSubPattern {
   }
 }
 
+/** DEPRECATED: Use `EmptyPositiveSubPattern` instead. */
+deprecated class EmptyPositiveSubPatttern = EmptyPositiveSubPattern;
+
 /**
  * A branch in a disjunction that is the root node in a literal, or a literal
  * whose root node is not a disjunction.
@@ -133,7 +136,7 @@ private predicate isCanonicalTerm(RelevantRegExpTerm term, string str) {
 }
 
 /**
- * Gets a string reperesentation of the flags used with the regular expression.
+ * Gets a string representation of the flags used with the regular expression.
  * Only the flags that are relevant for the canonicalization are included.
  */
 string getCanonicalizationFlags(RegExpTerm root) {
@@ -334,7 +337,7 @@ private module CharacterClasses {
     )
   }
 
-  private string lowercaseLetter() { result = "abdcefghijklmnopqrstuvwxyz".charAt(_) }
+  private string lowercaseLetter() { result = "abcdefghijklmnopqrstuvwxyz".charAt(_) }
 
   private string upperCaseLetter() { result = "ABCDEFGHIJKLMNOPQRSTUVWXYZ".charAt(_) }
 
@@ -697,9 +700,7 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
     lbl = Epsilon() and q2 = Accept(getRoot(dollar))
   )
   or
-  exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
-    lbl = Epsilon() and q2 = after(empty)
-  )
+  exists(EmptyPositiveSubPattern empty | q1 = before(empty) | lbl = Epsilon() and q2 = after(empty))
 }
 
 /**
@@ -1028,7 +1029,7 @@ module ReDoSPruning<isCandidateSig/2 isCandidate> {
    * as the suffix "X" will cause both the regular expressions to be rejected.
    *
    * The string `w` is repeated any number of times because it needs to be
-   * infinitely repeatedable for the attack to work.
+   * infinitely repeatable for the attack to work.
    * For the regular expression `/((ab)+)*abab/` the accepting state is not reachable from the fork
    * using epsilon transitions. But any attempt at repeating `w` will end in a state that accepts all suffixes.
    */

javascript/ql/lib/semmle/javascript/security/regexp/NfaUtils.qll

@@ -59,8 +59,8 @@ predicate matchesEpsilon(RegExpTerm t) {
 /**
  * A lookahead/lookbehind that matches the empty string.
  */
-class EmptyPositiveSubPatttern extends RegExpSubPattern {
-  EmptyPositiveSubPatttern() {
+class EmptyPositiveSubPattern extends RegExpSubPattern {
+  EmptyPositiveSubPattern() {
     (
       this instanceof RegExpPositiveLookahead
       or
@@ -70,6 +70,9 @@ class EmptyPositiveSubPatttern extends RegExpSubPattern {
   }
 }
 
+/** DEPRECATED: Use `EmptyPositiveSubPattern` instead. */
+deprecated class EmptyPositiveSubPatttern = EmptyPositiveSubPattern;
+
 /**
  * A branch in a disjunction that is the root node in a literal, or a literal
  * whose root node is not a disjunction.
@@ -133,7 +136,7 @@ private predicate isCanonicalTerm(RelevantRegExpTerm term, string str) {
 }
 
 /**
- * Gets a string reperesentation of the flags used with the regular expression.
+ * Gets a string representation of the flags used with the regular expression.
  * Only the flags that are relevant for the canonicalization are included.
  */
 string getCanonicalizationFlags(RegExpTerm root) {
@@ -334,7 +337,7 @@ private module CharacterClasses {
     )
   }
 
-  private string lowercaseLetter() { result = "abdcefghijklmnopqrstuvwxyz".charAt(_) }
+  private string lowercaseLetter() { result = "abcdefghijklmnopqrstuvwxyz".charAt(_) }
 
   private string upperCaseLetter() { result = "ABCDEFGHIJKLMNOPQRSTUVWXYZ".charAt(_) }
 
@@ -697,9 +700,7 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
     lbl = Epsilon() and q2 = Accept(getRoot(dollar))
   )
   or
-  exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
-    lbl = Epsilon() and q2 = after(empty)
-  )
+  exists(EmptyPositiveSubPattern empty | q1 = before(empty) | lbl = Epsilon() and q2 = after(empty))
 }
 
 /**
@@ -1028,7 +1029,7 @@ module ReDoSPruning<isCandidateSig/2 isCandidate> {
    * as the suffix "X" will cause both the regular expressions to be rejected.
    *
    * The string `w` is repeated any number of times because it needs to be
-   * infinitely repeatedable for the attack to work.
+   * infinitely repeatable for the attack to work.
    * For the regular expression `/((ab)+)*abab/` the accepting state is not reachable from the fork
    * using epsilon transitions. But any attempt at repeating `w` will end in a state that accepts all suffixes.
    */

javascript/ql/lib/semmle/javascript/security/regexp/NfaUtilsSpecific.qll

@@ -5,7 +5,7 @@
 import javascript
 
 /**
- * Holds if `term` is an ecape class representing e.g. `\d`.
+ * Holds if `term` is an escape class representing e.g. `\d`.
  * `clazz` is which character class it represents, e.g. "d" for `\d`.
  */
 predicate isEscapeClass(RegExpTerm term, string clazz) {
@@ -20,13 +20,13 @@ predicate isPossessive(RegExpQuantifier term) { none() }
 
 /**
  * Holds if the regex that `term` is part of is used in a way that ignores any leading prefix of the input it's matched against.
- * Not yet implemented for Javascript.
+ * Not yet implemented for JavaScript.
  */
 predicate matchesAnyPrefix(RegExpTerm term) { any() }
 
 /**
  * Holds if the regex that `term` is part of is used in a way that ignores any trailing suffix of the input it's matched against.
- * Not yet implemented for Javascript.
+ * Not yet implemented for JavaScript.
  */
 predicate matchesAnySuffix(RegExpTerm term) { any() }
 

python/ql/lib/semmle/python/security/regexp/NfaUtils.qll

@@ -59,8 +59,8 @@ predicate matchesEpsilon(RegExpTerm t) {
 /**
  * A lookahead/lookbehind that matches the empty string.
  */
-class EmptyPositiveSubPatttern extends RegExpSubPattern {
-  EmptyPositiveSubPatttern() {
+class EmptyPositiveSubPattern extends RegExpSubPattern {
+  EmptyPositiveSubPattern() {
     (
       this instanceof RegExpPositiveLookahead
       or
@@ -70,6 +70,9 @@ class EmptyPositiveSubPatttern extends RegExpSubPattern {
   }
 }
 
+/** DEPRECATED: Use `EmptyPositiveSubPattern` instead. */
+deprecated class EmptyPositiveSubPatttern = EmptyPositiveSubPattern;
+
 /**
  * A branch in a disjunction that is the root node in a literal, or a literal
  * whose root node is not a disjunction.
@@ -133,7 +136,7 @@ private predicate isCanonicalTerm(RelevantRegExpTerm term, string str) {
 }
 
 /**
- * Gets a string reperesentation of the flags used with the regular expression.
+ * Gets a string representation of the flags used with the regular expression.
  * Only the flags that are relevant for the canonicalization are included.
  */
 string getCanonicalizationFlags(RegExpTerm root) {
@@ -334,7 +337,7 @@ private module CharacterClasses {
     )
   }
 
-  private string lowercaseLetter() { result = "abdcefghijklmnopqrstuvwxyz".charAt(_) }
+  private string lowercaseLetter() { result = "abcdefghijklmnopqrstuvwxyz".charAt(_) }
 
   private string upperCaseLetter() { result = "ABCDEFGHIJKLMNOPQRSTUVWXYZ".charAt(_) }
 
@@ -697,9 +700,7 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
     lbl = Epsilon() and q2 = Accept(getRoot(dollar))
   )
   or
-  exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
-    lbl = Epsilon() and q2 = after(empty)
-  )
+  exists(EmptyPositiveSubPattern empty | q1 = before(empty) | lbl = Epsilon() and q2 = after(empty))
 }
 
 /**
@@ -1028,7 +1029,7 @@ module ReDoSPruning<isCandidateSig/2 isCandidate> {
    * as the suffix "X" will cause both the regular expressions to be rejected.
    *
    * The string `w` is repeated any number of times because it needs to be
-   * infinitely repeatedable for the attack to work.
+   * infinitely repeatable for the attack to work.
    * For the regular expression `/((ab)+)*abab/` the accepting state is not reachable from the fork
    * using epsilon transitions. But any attempt at repeating `w` will end in a state that accepts all suffixes.
    */

python/ql/lib/semmle/python/security/regexp/NfaUtilsSpecific.qll

@@ -6,7 +6,7 @@ import python
 import semmle.python.RegexTreeView
 
 /**
- * Holds if `term` is an ecape class representing e.g. `\d`.
+ * Holds if `term` is an escape class representing e.g. `\d`.
  * `clazz` is which character class it represents, e.g. "d" for `\d`.
  */
 predicate isEscapeClass(RegExpTerm term, string clazz) {

ruby/ql/lib/codeql/ruby/security/regexp/NfaUtils.qll

@@ -59,8 +59,8 @@ predicate matchesEpsilon(RegExpTerm t) {
 /**
  * A lookahead/lookbehind that matches the empty string.
  */
-class EmptyPositiveSubPatttern extends RegExpSubPattern {
-  EmptyPositiveSubPatttern() {
+class EmptyPositiveSubPattern extends RegExpSubPattern {
+  EmptyPositiveSubPattern() {
     (
       this instanceof RegExpPositiveLookahead
       or
@@ -70,6 +70,9 @@ class EmptyPositiveSubPatttern extends RegExpSubPattern {
   }
 }
 
+/** DEPRECATED: Use `EmptyPositiveSubPattern` instead. */
+deprecated class EmptyPositiveSubPatttern = EmptyPositiveSubPattern;
+
 /**
  * A branch in a disjunction that is the root node in a literal, or a literal
  * whose root node is not a disjunction.
@@ -133,7 +136,7 @@ private predicate isCanonicalTerm(RelevantRegExpTerm term, string str) {
 }
 
 /**
- * Gets a string reperesentation of the flags used with the regular expression.
+ * Gets a string representation of the flags used with the regular expression.
  * Only the flags that are relevant for the canonicalization are included.
  */
 string getCanonicalizationFlags(RegExpTerm root) {
@@ -334,7 +337,7 @@ private module CharacterClasses {
     )
   }
 
-  private string lowercaseLetter() { result = "abdcefghijklmnopqrstuvwxyz".charAt(_) }
+  private string lowercaseLetter() { result = "abcdefghijklmnopqrstuvwxyz".charAt(_) }
 
   private string upperCaseLetter() { result = "ABCDEFGHIJKLMNOPQRSTUVWXYZ".charAt(_) }
 
@@ -697,9 +700,7 @@ predicate delta(State q1, EdgeLabel lbl, State q2) {
     lbl = Epsilon() and q2 = Accept(getRoot(dollar))
   )
   or
-  exists(EmptyPositiveSubPatttern empty | q1 = before(empty) |
-    lbl = Epsilon() and q2 = after(empty)
-  )
+  exists(EmptyPositiveSubPattern empty | q1 = before(empty) | lbl = Epsilon() and q2 = after(empty))
 }
 
 /**
@@ -1028,7 +1029,7 @@ module ReDoSPruning<isCandidateSig/2 isCandidate> {
    * as the suffix "X" will cause both the regular expressions to be rejected.
    *
    * The string `w` is repeated any number of times because it needs to be
-   * infinitely repeatedable for the attack to work.
+   * infinitely repeatable for the attack to work.
    * For the regular expression `/((ab)+)*abab/` the accepting state is not reachable from the fork
    * using epsilon transitions. But any attempt at repeating `w` will end in a state that accepts all suffixes.
    */

ruby/ql/lib/codeql/ruby/security/regexp/NfaUtilsSpecific.qll

@@ -7,7 +7,7 @@ import codeql.Locations
 private import codeql.ruby.ast.Literal as Ast
 
 /**
- * Holds if `term` is an ecape class representing e.g. `\d`.
+ * Holds if `term` is an escape class representing e.g. `\d`.
  * `clazz` is which character class it represents, e.g. "d" for `\d`.
  */
 predicate isEscapeClass(RegExpTerm term, string clazz) {